When Hardware Attacks

scaleMarc Witteman

Belas summer school 2019

Who is Riscure?

• Security lab in

the Netherlands, USA, China

• 100+ experts @ work

• We serve over 100 clients worldwide

• Security test tools

• Security test services

• We test devices that must be

secure in a hostile environment

• We help our customers to

improve security of their products

Attack exploitation space: time vs distance

3

protocolsoftware

Local

Fast Slow

Remote

key brute

force

side

channel

fault

injection

physical

relay

attack

Hardware attacks require:

• hardware vulnerabilities, or

• hardware changes to target

mitm

Hardware attacks

𝑝 = 𝑛 ∗ 𝑣 − 𝑐𝑣 − 𝑐𝑓p = profit

n = replications

v = value

cv = variable costs

cf = fixed costs

Attacker business case

4

1. Smart card Man-in-the-Middle

Hardware attack to bypass PIN verification of stolen payment cards

2. Retail hack

Network penetration attack to retrieve cardholder credentials

3. Card sharing

Relay attack to avoid paying TV subscription fees

Let’s analyze some known attacks

5

Smart card Man-in-the-Middle (1)

6Source: https://www.cl.cam.ac.uk/research/security/banking/nopin/

Chipcard Man-in-the-Middle (1)

7Source: https://www.cl.cam.ac.uk/research/security/banking/nopin/

EMV Man-in-the-Middle (2)

8

Retail hack

9

Retail hack

10

Retail hack

11

Retail hack

12

Retail hack

13

• Pay-TV decoders use smart cards

to control video access

• Subscription is in smart card

Card sharing (1)

14

Satellite data stream includes:

• Code words

• Encrypted

video stream

How does satellite TV work?

15

Smart card

Decrypt

Subscription key

Video key

SoC

DecryptVideo stream

• Pay-TV decoders use smart cards

to control video access

• Subscription is in smart card

• Distribution of video keys avoids

need for individual subscriptions

Card sharing (2)

16

Attack Fixed

Cost

Variable

Cost

Value Replications Profit

SC MitM € 30K € 100 € 500 100 € 10 K

Retail hack € 20K € 1 € 25 10K € 220 K

Card sharing € 10K € 10 € 100 1M € 90 M

Example attack business cases

17

Replications are key, but how is that bounded?

• Application size (e.g. #potential victims)

• Detection & mitigation

• Replication effort

To determine scalability, we need to quantify the replication effort

Attack phases and cost

Identification Exploitation

What it is finding a vulnerability replicate on target

Frequency once repeated

Speed How fast can we do this?

Skill Required knowledge / experience

Equipment Type of equipment

Location Where is the attacker?

What parameters determine the attack cost?

Fixed cost Variable cost

Attack parameters

Identification Exploitation

Vulnerability Hardware Software Hardware Software

Speed slow slow slow fast

Skill expert expert proficient layman

Equipment specialized standard specialized none

Location local near local remote

Scalable attackScalable attacks need software exploitation!,

but can build on hardware identification

What are typical attack parameters?

Defenders methodAttackers method

How to find software vulnerabilities?

20

White-BoxBlack-Box

Source Code

Review

Binary

AnalysisFuzzing

Model Based

Testing

Effectiveness

Most vulnerabilities are found white-box style!

Problem: Moore’s Law keeps pushing the limits

10.000

100.000

1.000.000

10.000.000

100.000.000

2005SmartCard

2010SmartMeter

2015SmartPhone

2020SmartCar

Software Lines of Code

Software vulnerabilities found

Source: NIST

Binary analysis

Disassemble

Flow analysis

Manual code review

Software packages typically have

0.1 up to 10 vulnerabilities per KLoC

All products have software vulnerabilities

Manual source code review performs at 100 LoC/hr

Finding a vulnerability in source code may take just one day

27

Static code analysis

Confidential

• Given the widespread presence of vulnerabilities there is an

increasing desire to mitigate risk

• Finding software vulnerabilities gets more difficult without

access to source/binary code

• Access to device software is increasingly restricted:

• PC software used to be accessible (e.g. exe files)

• Smart phone software is only visible for root

• Set-Top-Box software is hidden, and encrypted in transit

• How to attack a product protected with software encryption?

Software vulnerability hiding

inte

rna

l

29

Attacking encrypted software

Hardware attack offers two-step alternative:

1. Break software confidentiality

2. White-box binary analysis exposes logical vulnerability 30

Binary analysis

exposes logical

vulnerability

Exploitation

yields runtime

control

Start

Black-Box penetration testing

exposes logical vulnerability

Start Exploitation

yields runtime

control

Hardware attack

breaks software

confidentiality

Start Binary analysis

exposes logical

vulnerability

Exploitation

yields runtime

control

Encrypted software hides binary code

Black-Box penetration testing very inefficient

What is Secure Boot?

Internal boot ROM

1st stage boot

loader Nth stage boot

loader

Verify signature& decrypt

ApplicationVerify signature& decrypt

Verify signature& decrypt

An attacker who breaks secure boot can:

• Extract secrets

• Load & run arbitrary software

Source: http://www.fredericb.info/2016/10/amlogic-s905-soc-bypassing-not-so.html

Design flaw in

Pay-TV SoC

Secure boot chain broken by backdoor

Attacker used hardware weakness to dump

Boot Loader image

Re

stric

ted

33

Boot Loader header analysisstruct aml_img_header { // 64 bytes

unsigned char magic[4];// "@AML"

uint32_t total_len;

uint8_t header_len;

uint8_t unk_x9;

uint8_t unk_xA;

uint8_t unk_xB;

uint32_t unk_xC;

uint32_t sig_type;

uint32_t sig_offset;

uint32_t sig_size;

uint32_t data_offset;

uint32_t unk_x20;

uint32_t cert_offset;

uint32_t cert_size;

uint32_t data_len;

uint32_t unk_x30;

uint32_t code_offset;

uint32_t code_len;

uint32_t unk_x3C;

} aml_img_header_t;34

sig_type provides backdoor

that bypasses verification

Select

Certificate

Go

Get key

Public key

Code

Hash

Signature

Verified Sig

Verify

Hashed code

Compare

Stop

Conclusions

Scalable attacks need software exploitation

o Hardware attacks are laborious

o Software vulnerabilities are ubiquitous

o Software exploits are easy to replicate

Software encryption is inevitable for security

o Binary analysis very successful in identifying vulnerabilities

o Increasing number of products use encrypted software

Hardware attacks are scalable when

o Software is encrypted

o Shallow bugs (detectable black-box style) are absent

o Used in the identification step to extract software

o Deep software vulnerabilities are present

35

Riscure North America

550 Kearny St.

Suite 330

San Francisco, CA 94108

+1 (650) 646 9979

inforequest@riscure.com

Riscure B.V.

Frontier Building, Delftechpark 49

2628 XJ Delft

The Netherlands

Phone: +31 15 251 40 90

www.riscure.com

Contact:

Riscure China

No. 989, Changle Road

Room 2030-31

Shanghai 200031

+86 21 5117 5435

inforcn@riscure.com

Marc Witteman

witteman@riscure.com

Riscure is hiring, visit https://www.riscure.com/careers/